Your rights and privacy

This information is provided under the requirements of the General Data Protection Regulation and the Data Protection Act 2018. This shows you how personal data is processed by the National Disease Registration Service (NDRS). 

Identity and contact details of the data controller 

Public Health England is the data controller for all information collected and processed as part of disease registration. 

The data protection officer can be contacted on dataprotectionofficer@phe.gov.uk  

Where does the information about me come from? 

If you have been diagnosed with cancer, a rare disease or a congenital anomaly, the NHS team looking after you will record information about the care and treatment you receive. This information is shared with NDRS.  

This applies to children as well as adults.  

This information comes from many sources. See what data is collected here. 

What data about me will be collected? 

The NHS shares the following information with NDRS: 

  • your name and date of birth  
  • your gender and ethnicity  
  • your address and NHS number  
  • information about your diagnosis and treatment  

We do not hold or have access to your mobile phone number or email address.  

When is my data collected, and how long is it kept for? 

We start collecting data as soon as you are being investigated for cancer, a rare disease or a congenital anomaly. We then follow your treatment for the rest of your life. We do this because we need to see if the disease comes back or if there are any side-effects from the treatment you receive. 

It is important we hold data for at least the lifetime of the patient so that we can spot long term trends and carry out research. For example, some forms of cancer can be inherited. For those families with this genetic risk, long term monitoring is important. 

Find out more about how disease registration data is used to improve diagnosis and treatment of cancer, rare diseases and congenital anomalies in our data stories or watch our webinars. 

NDRS and the law 

The legal basis for NDRS to collect and use your personal information is provided by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The following sections state that: 

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’  
  • GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’  
  • Data Protection Act Schedule 1 Part 1 (2) ‘health or social care purposes’  

NDRS and patient confidentiality 

We have legal permission to collect patient-level data and to use it to protect the health of the population. This permission is given under Section 251 of the NHS Act 2006. Everyone working with patient data is trained in information governance and follows strict rules to make sure patient information stays safe. 

Find out more about how we keep data safe here.

Where is the data processed? 

The data is never processed outside the UK and is always held safely and securely in England.  

How is data shared? 

We treat the data we hold with great care. Wherever possible, de-personalised data or anonymous data is used to protect patient confidentiality. We also apply the National Data Guardian’s Caldicott Principles to ensure we only provide the minimum amount of data necessary. You can see what data is released from the Office for Data Release website here.  

If data is shared with other organisations, strict rules must be followed. When we receive a request for data, we check that the data will be used appropriately for an important purpose.  

Find out more about how data is shared here. 

What are my rights in relation to the use of the personal data you hold about me? 

Anyone can opt-out of disease registration at any time. It will not affect the care you receive from the NHS. Read more about opting-out here. 

Can I see my own data? 

If you would like to see what data we hold on you, you need to make a Subject Access Request (SAR) by emailing FOI@phe.gov.uk. 

First, we will verify your identity by asking for copies of your ID. Once the request is approved, we will send their information to their GP or clinical specialist. This makes sure that the information gets to you securely.

Where can I find out more? 

If you want more information, you can contact our Data Protection Officer at dataprotectionofficer@phe.gov.uk. 

Webpage last updated: August 2021